icc

package

v0.0.0-...-a3b9779 Latest Latest Go to latest Published: Feb 19, 2024 License: GPL-3.0-only Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/usbarmory/GoKey

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func CardKeyNotSupported() *apdu.RAPDU
func CommandCompleted(data []byte) *apdu.RAPDU
func CommandNotAllowed() *apdu.RAPDU
func Decrypt(input []byte, diversifier []byte) (output []byte, err error)
func EncryptOFB(key []byte, iv []byte, input []byte) (output []byte, err error)
func FileNotFound() *apdu.RAPDU
func LED(name string, on bool) (err error)
func Pad(buf []byte, extraBlock bool) []byte
func ReferencedDataNotFound() *apdu.RAPDU
func SecurityConditionNotSatisfied() *apdu.RAPDU
func UnrecoverableError() *apdu.RAPDU
func VerifyFail(retries byte) *apdu.RAPDU
func WrongData() *apdu.RAPDU
type Interface

Constants ¶

View Source

const (
	// p65, 7.2.11 PSO: DECIPHER, OpenPGP application Version 3.4
	RSA_PADDING = 0x00
	AES_PADDING = 0x02
)

View Source

const (
	// p22, 4.4.1 DOs for GET DATA, OpenPGP application Version 3.4
	DO_APPLICATION_IDENTIFIER      = 0x4f
	DO_LOGIN_DATA                  = 0x5e
	DO_URL                         = 0x5f50
	DO_HISTORICAL_BYTES            = 0x5f52
	DO_CARDHOLDER_RELATED_DATA     = 0x65
	DO_APPLICATION_RELATED_DATA    = 0x6e
	DO_SECURITY_SUPPORT_TEMPLATE   = 0x7a
	DO_CARDHOLDER_CERTIFICATE      = 0x7f21 // TODO
	DO_EXTENDED_LENGTH_INFORMATION = 0x7f66
	DO_PW_STATUS_BYTES             = 0xc4
	DO_KEY_INFORMATION             = 0xde
	DO_ALGORITHM_INFORMATION       = 0xfa

	// DOs not directly accessible
	DO_NAME                       = 0x5b
	DO_LANGUAGE                   = 0x5f2d
	DO_SEX                        = 0x5f35
	DO_DISCRETIONARY_DATA_OBJECTS = 0x73
	DO_EXTENDED_CAPABILITIES      = 0xc0
	DO_ALGORITHM_ATTRIBUTES_SIG   = 0xc1
	DO_ALGORITHM_ATTRIBUTES_DEC   = 0xc2
	DO_ALGORITHM_ATTRIBUTES_AUT   = 0xc3
	DO_FINGERPRINTS               = 0xc5
	DO_CA_FINGERPRINTS            = 0xc6
	DO_GENERATION_EPOCHS          = 0xcd
	DO_DIGITAL_SIGNATURE_COUNTER  = 0x93

	// p65, 7.2.11 PSO: DECIPHER, OpenPGP application Version 3.4
	DO_CIPHER = 0xa6
	DO_AES256 = 0xd5
	// p72, 7.2.14 GENERATE ASYMMETRIC KEY PAIR, OpenPGP application Version 3.4
	DO_PUB_KEY     = 0x7f49
	DO_RSA_MOD     = 0x81
	DO_RSA_EXP     = 0x82
	DO_EXT_PUB_KEY = 0x86

	// p33, 4.4.3.9 Algorithm Attributes, OpenPGP application Version 3.4
	RSA                    = 0x01
	RSA_KEY_SIZE           = 4096
	RSA_EXPONENT_SIZE      = 32
	IMPORT_FORMAT_STANDARD = 0x00

	// p33, 4.4.3.8 Key Information, OpenPGP application Version 3.4
	KEY_SIG         = 0x01
	KEY_DEC         = 0x02
	KEY_AUT         = 0x03
	KEY_NOT_PRESENT = 0x00
	KEY_GENERATED   = 0x01
	KEY_IMPORTED    = 0x02

	PW1_MAX_LENGTH = 127
	RC_MAX_LENGTH  = 127
	PW3_MAX_LENGTH = 127
)

View Source

const (
	// p48, 7.1 Usage of ISO Standard Commands, OpenPGP application Version 3.4.
	SELECT                       = 0xa4
	GET_DATA                     = 0xca
	VERIFY                       = 0x20
	PUT_DATA_1                   = 0xda
	PUT_DATA_2                   = 0xdb
	GENERATE_ASYMMETRIC_KEY_PAIR = 0x47
	GET_CHALLENGE                = 0x84
	PERFORM_SECURITY_OPERATION   = 0x2a

	// Security Operations
	COMPUTE_DIGITAL_SIGNATURE = 0x9e9a
	DECIPHER                  = 0x8086
	ENCIPHER                  = 0x8680

	DEFAULT_PW1_ERROR_COUNTER = 3
)

View Source

const (
	PW_VERIFY = 0x00
	PW_LOCK   = 0xff

	// PW1 only valid for one PSO:CDS command
	PW1_CDS_MULTI = 0x00

	PW1_CDS = 0x81
	PW1     = 0x82
	PW3     = 0x83
)

View Source

const DiversifierPGP = "GoKeySNVSOpenPGP"

Diversifier for hardware key derivation (OpenPGP key wrapping).

Variables ¶

View Source

var (
	ATR                   []byte
	HISTORICAL_BYTES      []byte
	EXTENDED_CAPABILITIES []byte
	EXTENDED_LENGTH       []byte

	// p15, 4.2.1 Application Identifier (AID), OpenPGP application Version 3.4
	RID = []byte{0xd2, 0x76, 0x00, 0x01, 0x24, 0x01}
)

Functions ¶

func CardKeyNotSupported ¶

func CardKeyNotSupported() *apdu.RAPDU

func CommandCompleted ¶

func CommandCompleted(data []byte) *apdu.RAPDU

func CommandNotAllowed ¶

func CommandNotAllowed() *apdu.RAPDU

func Decrypt ¶

func Decrypt(input []byte, diversifier []byte) (output []byte, err error)

func EncryptOFB ¶

func EncryptOFB(key []byte, iv []byte, input []byte) (output []byte, err error)

EncryptOFB performs symmetric AES encryption using AES-256-OFB. The initialization vector is prepended to the encrypted file, the HMAC for authentication is appended: `iv (16 bytes) || ciphertext || hmac (32 bytes)`.

func FileNotFound ¶

func FileNotFound() *apdu.RAPDU

func LED ¶

func LED(name string, on bool) (err error)

func Pad ¶

func Pad(buf []byte, extraBlock bool) []byte

Pad implements PKCS7 compliant padding for symmetric AES operation.

func ReferencedDataNotFound ¶

func ReferencedDataNotFound() *apdu.RAPDU

func SecurityConditionNotSatisfied ¶

func SecurityConditionNotSatisfied() *apdu.RAPDU

func UnrecoverableError ¶

func UnrecoverableError() *apdu.RAPDU

func VerifyFail ¶

func VerifyFail(retries byte) *apdu.RAPDU

func WrongData ¶

func WrongData() *apdu.RAPDU

Types ¶

type Interface ¶

type Interface struct {
	sync.Mutex

	// Unique serial number
	Serial [4]byte
	// p30, 4.4.3.3 Name, OpenPGP application Version 3.4
	Name string
	// p30, 4.4.3.4 Name, OpenPGP application Version 3.4
	Language string
	// p31, 4.4.3.5 Name, OpenPGP application Version 3.4
	Sex string

	URL       string
	LoginData []byte

	// enable APDU debugging
	Debug bool
	// enable device unique hardware encryption for bundled private keys
	SNVS bool

	// Armored secret key
	ArmoredKey []byte
	// Secret key
	Key *openpgp.Entity
	// Signature subkey
	Sig *openpgp.Subkey
	// Decryption subkey
	Dec *openpgp.Subkey
	// Authentication subkey
	Aut *openpgp.Subkey

	// currently unused
	CA []*openpgp.Entity
	// contains filtered or unexported fields
}

Interface implements an OpenPGP card instance.

func (*Interface) AID ¶

func (card *Interface) AID() (aid []byte)

AID implements p15, 4.2.1 Application Identifier (AID), OpenPGP application Version 3.4.

func (*Interface) ATR ¶

func (card *Interface) ATR() (atr []byte)

ATR returns the Answer to reset (ATR) according to ISO/IEC 7816-4.

func (*Interface) AlgorithmAttributes ¶

func (card *Interface) AlgorithmAttributes(subkey *openpgp.Subkey) (data []byte)

AlgorithmAttributes builds and returns the Data Objects specified at p34, 4.4.3.9 Algorithm Attributes, OpenPGP application Version 3.4.

func (*Interface) AlgorithmInformation ¶

func (card *Interface) AlgorithmInformation() []byte

AlgorithmInformation implements p37, 4.4.3.11 Algorithm Information, OpenPGP application Version 3.4.

The standard is ambiguous on whether this DO needs to be present if algorithm attributes cannot be changed, the DO table suggests this is mandatory but the DO description suggests otherwise.

Given that this implementation does not allow changes, the imported key attributes are returned.

func (*Interface) ApplicationRelatedData ¶

func (card *Interface) ApplicationRelatedData() []byte

ApplicationRelatedData implements p30, 4.4.3.1 Application Related Data, OpenPGP application Version 3.4.

func (*Interface) CAFingerprints ¶

func (card *Interface) CAFingerprints() (fingerprints []byte)

CAFingerprints collects card OpenPGP CA fingerprints and returns them in Data Object 0xC6. Currently unused (always empty).

func (*Interface) CardholderRelatedData ¶

func (card *Interface) CardholderRelatedData() []byte

CardholderRelatedData builds and returns Data Object 0x65.

func (*Interface) Command ¶

func (card *Interface) Command(capdu *apdu.CAPDU) (rapdu *apdu.RAPDU, err error)

Command parses an APDU command and redirects it to the relevant handler. An APDU response is returned.

func (*Interface) ComputeDigitalSignature ¶

func (card *Interface) ComputeDigitalSignature(data []byte) (rapdu *apdu.RAPDU, err error)

ComputeDigitalSignature implements p62, 7.2.10 PSO: COMPUTE DIGITAL SIGNATURE, OpenPGP application Version 3.4.

func (*Interface) Decipher ¶

func (card *Interface) Decipher(data []byte) (rapdu *apdu.RAPDU, err error)

Decipher implements p65, 7.2.11 PSO: DECIPHER, OpenPGP application Version 3.4.

func (*Interface) DigitalSignatureCounter ¶

func (card *Interface) DigitalSignatureCounter() []byte

func (*Interface) DiscretionaryData ¶

func (card *Interface) DiscretionaryData() []byte

DiscretionaryData builds and returns Data Object 0x73.

func (*Interface) Encipher ¶

func (card *Interface) Encipher(data []byte) (rapdu *apdu.RAPDU, err error)

Encipher implements p68, 7.2.12 PSO: ENCIPHER, OpenPGP application Version 3.4.

func (*Interface) Fingerprints ¶

func (card *Interface) Fingerprints() (fingerprints []byte)

Fingerprints collects card OpenPGP subkey fingerprints and returns them in Data Object 0xC5.

func (*Interface) GenerateAsymmetricKeyPair ¶

func (card *Interface) GenerateAsymmetricKeyPair(params uint16, crt []byte) (rapdu *apdu.RAPDU, err error)

GenerateAsymmetricKeyPair implements p72, 7.2.14 GENERATE ASYMMETRIC KEY PAIR, OpenPGP application Version 3.4.

Generation of key pair is not implemented as card personalization is managed outside OpenPGP specifications and the PW3 PIN (required for this mode) is not supported.

Therefore this command can only be used to read public key templates.

func (*Interface) GenerationEpochs ¶

func (card *Interface) GenerationEpochs() (epochs []byte)

GenerationEpochs collects card OpenPGP creation times and returns them in Data Object 0xCD.

func (*Interface) GetChallenge ¶

func (card *Interface) GetChallenge(n int) (rapdu *apdu.RAPDU, err error)

GetChallenge implements p74, 7.2.15 GET CHALLENGE, OpenPGP application Version 3.4.

func (*Interface) GetData ¶

func (card *Interface) GetData(tag uint16) (rapdu *apdu.RAPDU, err error)

GetData implements p57, 7.2.6 GET DATA, OpenPGP application Version 3.4.

func (*Interface) Init ¶

func (card *Interface) Init() (err error)

Init initializes the OpenPGP card instance, using passed amored secret key material.

The SNVS argument indicates whether private keys (which are already encrypted with the passphrase unless the user created them without one) are to be stored encrypted at rest with a device specific hardware derived key.

func (*Interface) Initialized ¶

func (card *Interface) Initialized() bool

Initialized returns the OpenPGP card initialization state.

func (*Interface) KeyInformation ¶

func (card *Interface) KeyInformation() []byte

KeyInformation implements p33, 4.4.3.8 Key Information, OpenPGP application Version 3.4.

This information is required for Yubico OpenPGP attestation, this implementation doesn't (yet) support this feature as its usefulness is questionable. Therefore we just flag all keys as imported (which also happens to be the only allowed mechanism for now).

func (*Interface) PWStatusBytes ¶

func (card *Interface) PWStatusBytes() []byte

PWStatusBytes builds and returns Data Object 0xC4.

func (*Interface) PutData ¶

func (card *Interface) PutData(tag uint16) (rapdu *apdu.RAPDU, err error)

PutData implements p60, 7.2.8 PUT DATA, OpenPGP application Version 3.4.

This is not implemented (always returns command not allowed) as card personalization is managed outside OpenPGP specifications and the PW3 PIN (required for this command) is not supported.

func (*Interface) RawCommand ¶

func (card *Interface) RawCommand(buf []byte) ([]byte, error)

RawCommand parses a buffer representing an APDU command and redirects it to the relevant handler. A buffer representing the APDU response is returned.

func (*Interface) Restore ¶

func (card *Interface) Restore(subkey *openpgp.Subkey) *packet.PrivateKey

Restore overwrites decrypted subkeys with their encrypted version, imported at card initialization.

func (*Interface) SecuritySupportTemplate ¶

func (card *Interface) SecuritySupportTemplate() []byte

SecuritySupportTemplate builds and returns Data Object 0x7A.

func (*Interface) Select ¶

func (card *Interface) Select(file []byte) (rapdu *apdu.RAPDU, _ error)

Select implements p50, 7.2.1 SELECT, OpenPGP application Version 3.4.

func (*Interface) ServeRPC ¶

func (card *Interface) ServeRPC(rw io.ReadWriter) error

func (*Interface) Status ¶

func (card *Interface) Status() string

Status returns card key fingerprints and encryption status in textual format.

func (*Interface) Verify ¶

func (card *Interface) Verify(P1 byte, P2 byte, passphrase []byte) (rapdu *apdu.RAPDU, err error)

Verify implements p51, 7.2.2 VERIFY, OpenPGP application Version 3.4.

Unlike most smartcards, in this implementation PW1 represents the actual private key passphrase and it is used to decrypt the selected OpenPGP private subkey.

Therefore the passphrase/PIN verification status matches the presence of a decrypted subkey in memory.

Verification of the admin password (PW3) is not supported as, in this implementation, card personalization is managed outside OpenPGP specifications.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL